How are challenge tests evaluated?

Hi all, I have been digging into the FCC repo and am trying to comprehend the codebase. I am interested to know how the user input for JS challenges gets validated?
Now I know about assertion and unit testing so I get that part.
The description of the test itsself seems to live in: /curriculum/challenges/

But where , and how does the user input get validated in the codebase? And more importantly: how do we prevent malicious user input from causing harm?

Thanks in advance everybody

Here it is: